Privileges

You can manage who can do what with your Coveo Cloud organization by assigning access levels on privileges when you define groups or API keys (see Manage Groups and Manage API Keys). See which access levels are available for each privileges in the tables below.

In the Coveo Cloud V2 administration console, privileges are grouped by service. Group members that are granted an access level for privilege typically gain access to one or more related administration console main menu pages and related API calls. For most privileges, the available access levels are View and Edit. Members with the View access level on a privilege can only review the configuration of a resource. To edit the configuration and access the child panels of a main menu page, the Edit access level is usually required. Similarly, the ability to create new resources is automatically granted with the Edit access level, unless, for Sources, you opt for a Custom access level, in which case you can choose whether to grant it or not (see Custom).

  • Although most privilege names may be similar to the options in the Coveo Cloud V2 administration console navigation menu, a View or Edit access level on a privilege alone is not necessarily sufficient to view or edit the corresponding page content. Other privileges may be required to view or edit the content of an administration console page. See the Required Privileges section at the bottom of the documentation page corresponding to the desired administration console page for a list of all required privileges.

  • The minimal privilege to allow members of a group to access any Coveo Cloud administration console main menu page is the Organization privilege from the Organization service (see Organization Privilege).

    When your Coveo Cloud organization members do not have the minimal View access level on the Organization privilege and try to log in to the Coveo Cloud V2 administration console, they get the following message:

    Insufficient privileges

    You currently have insufficient privileges to access the Coveo Cloud administration console of the [OrganizationName] organization. Contact an administrator of the [OrganizationName] organization to change your privileges, or select an organization to which you have access through the Coveo Cloud administration console.

The API keys, Groups, Sources, and Extensions privileges offer the Custom access level option, which allows you to grant each API key, source, or group its own access level (see API Keys Privilege, Sources Privilege, and Groups Privilege). For instance, you could grant your SharePoint Administrators group the Edit access level for your SharePoint sources, but only the View level for the other sources in the organization. Moreover, when you select the Custom access level option for Sources, you can decide whether the grantee (group or API key) should also be able to create new API keys or sources, respectively.

  • The Administrators group cannot be deleted, and its privileges cannot be edited (see Delete a Group). You can however duplicate the Administrators group, and then edit the desired parameters for the new group (see Duplicate a Group).

  • Privileges have nothing to do with view permissions on source items (see Coveo Cloud V2 Management of Security Identities and Item Permissions). Coveo Cloud organization privileges allow you to control who can do what through the Coveo Cloud administration console or API, while permissions on source items, dependent on your source configuration, determine which end-users can see what items in search results.

  • When you edit the privileges of a group or an API key, your options may vary. For each privilege, the access levels you can grant depend on the access level you have yourself, as well as the level that was last saved (see Groups and API Keys). In short, the list of access levels from which you can choose generally consists of the last saved access level, the access level you have, and the access levels of lesser importance than those.

    The following table summarizes the available access levels in each scenario, assuming you have the Edit access level for the group or API key of which you want to edit the privileges:

    Access level you have Last saved access level Access levels you can grant the group or API key
    None None N/A (you cannot change the access level)
    None View all None or View all
    None Custom None, View all, or Custom1
    None Edit all None, View all, or Edit all
    View all None or View all None or View all
    View all Custom None, View all, or Custom
    View all Edit all None, View all, or Edit all
    Custom None, View all, or Custom None, View all, or Custom
    Custom Edit all None, View all, Custom, or Edit all
    Edit all Any None, View all, Custom, or Edit all

    Note 1: In this scenario, albeit with Custom selected, you cannot view the list of sources available in the organization, as you do not have the View all access level on Sources (see Sources privilege).

    This table also applies for privileges that do not offer the Custom access level option, such as Fields (see Fields privilege).

    You are allowed to edit the Content Viewers group. This group has the View all access level for the Fields privilege, while you have Edit all. When changing the group’s access level for this privilege, you can choose from your access level, those of lesser importance, and the original group’s access level, i.e., Edit all, View all, or no access at all.

    However, after switching from a higher access level to a lower level, you may not be able to grant the higher level again if you are not yourself granted this higher access level.

    You are allowed to edit groups and to view fields, and you want to revoke the ability of the Content Manager group to edit fields. Since your access level options for the Field resource consist in the last saved access level (Edit), the access level you have (View), and the access levels of lesser importance than those (no access), you can choose from Edit, View, and no access at all. You switch the Fields access level from Edit to View and save, so the last saved access level is now View. Then, the next time you edit the privileges of the Content Manager group, your access level options for Fields are only View and no access at all, since you do not have the Edit access level on Fields yourself.

    Similarly, if only one of your groups grants you a higher access level on a certain resource and you edit this group’s privileges to select a lower access level for this resource, you will permanently lose the higher access level after saving.

    You are a member of the Group Managers group, which is the only one of yours that grant you the privilege to edit groups. You no longer want the Group Managers group to be able to edit groups, so you switch its Groups access level to View. Once you save, you lose your ability to edit groups and are only able to view them, as Group Managers was the only group that granted you the Edit access level on Groups.

When a user is a member of groups that have conflicting privilege access levels, the highest granted access level applies.

John Smith is a member of the Analytics Viewers and the custom-made Limited Administrators groups. The following table shows an excerpt of the privileges granted to both groups.

Service Name Analytics Viewers access levels Limited Administrators access levels
Analytics Administrate

(None)

Allowed
Analytics data View Edit
Data Exports View Edit

Dimensions

View Edit
Impersonate Allowed (None)

Since the first four privilege access levels granted to the Limited Administrators group are of a higher level than those granted to the Analytics Viewers group, these Limited Administrators privilege access levels apply to John Smith. Therefore, John Smith can edit dimensions, for instance, even though he is also in the Analytics Viewers group, which is not allowed to perform dimension edits.

As for the Impersonate privilege, however, the Analytics Viewers group has the Allowed access level while the Limited Administrators group does not. Consequently, John Smith is granted the Allowed access level.

The following tables shows the resulting privileges granted to John Smith.

Service Name John Smith's access levels
Analytics Administrate

Allowed

Analytics data Edit
Data Exports Edit

Dimensions

Edit
Impersonate Allowed

Moreover, when you edit the privileges of a group or an API key, a Discard changes button (Discard changes button) appears on the right-hand side of the privilege rows you modified, allowing you to revert all changes made for this privilege. In the service menu on the left-hand side, a number between parentheses indicates the number of edited privilege rows in the corresponding service that will be saved when you click Save.

Two unsaved privileges in the Content service

The following sections correspond to the services and privileges displayed in the Privilege tab you see when creating or editing a group or an API key (see Groups - Page and API Keys - Page). They present the abilities that come with each access level option for a privilege. For each privilege, the Typical grantees column shows which of the built-in groups are granted each level by default: Administrators, Analytics Managers, Analytics Viewers, Content Managers, Relevance Managers, and Users (see About Coveo Cloud V2 User Management). See also About Coveo Cloud V2 User Management for a list of the default access levels granted to each built-in role.

Analytics Service

Administrate Privilege

Access level Grantee abilities Typical grantees
Allowed
  • Manage the organization usage analytics data:

    • Add and delete test usage analytics data in the account

    • Edit, get, delete, and disable the organization account

  • Define IP addresses whose events are flagged as internal (see Administration API - Version 15 and Internal Events)

This privilege is especially potent since grantees can delete usage analytics data and could inadvertently corrupt it as well. Administrators should be careful when granting this privilege and are encouraged to review the Coveo Cloud privilege documentation before proceeding.

  • Administrators

  • API keys

Analytics Data Privilege

Access level Grantee abilities Typical grantees
View
  • Analytics managers

  • Analytics viewers

  • Relevance managers

Push Send analytics events to the Coveo usage analytics service (see Manage API Keys) OAuth tokens, API keys, and search tokens assigned to a process such as a search interface
Push and view Administrators

Data Exports Privilege

The Data exports privilege access levels are ineffective without the View access level on the Analytics data privilege (see Analytics Data Privilege).

Access level Grantee abilities Typical grantees
View

View and download usage analytics data exports containing clicks, groups, keywords, searches, and custom events meeting the specified criteria for a specific date range (see Managing Data Exports)

Edit
  • Administrators

  • Analytics managers

  • Analytics viewers

  • Relevance managers

Dimensions Privilege

The Dimensions privilege access levels are ineffective without the View access level on the Analytics data privilege (see Analytics Data Privilege).

Access level Grantee abilities Typical grantees
View Analytics viewers
Edit

Add, edit, or delete dimensions created by Coveo Cloud organization members (see Managing Dimensions on Custom Metadata).

  • Administrators

  • Analytics managers

Impersonate Privilege

Access level Grantee abilities Typical grantees
Allowed

Allow a custom process or bot to push usage analytics events with different identities.

  • Administrators

  • API keys

Incoherent Events Privilege

Access level Grantee abilities Typical grantees
View

View incoherent events (see Reviewing Incoherent Usage Analytics Events)

Administrators

Metric Alerts Privilege

Required to use an upcoming feature. Granting it to users or groups does not give them any additional capabilities yet.

Named Filters Privilege

The Named filters privilege access levels are ineffective without the View access level on the Analytics data and Dimensions privileges (see Analytics Data Privilege and Dimensions Privilege).

Access level Grantee abilities Typical grantees
View

View named filters (see Managing Named Filters)

  • Analytics viewers

  • Users

Edit

Add, edit, or delete named filters (see Managing Named Filters)

  • Administrators

  • Analytics managers

  • Relevance managers

Permission Filters Privilege

The Permission filters privilege access levels are ineffective without the View access level on the Analytics data and Dimensions privileges (see Analytics Data Privilege and Dimensions Privilege).

Access level Grantee abilities Typical grantees
View

View permission filters restricting the usage analytics data that analysts can review in reports (see Managing Permission Filters)

Without the View access level, you cannot see the permissions filters that are assigned to your identity in reports.

  • Analytics viewers

  • Analytics managers

  • Relevance managers

  • Users

Edit

Add, edit, or delete permission filters (see Managing Permission Filters)

The Edit access level is ineffective without the View access level on the Groups privilege (see Groups Privilege).

Administrators

Reports Privilege

The Reports privilege access levels are ineffective without the View access level on the Analytics data and Dimensions privileges (see Analytics Data Privilege and Dimensions Privilege).

Access level Grantee abilities Typical grantees
View

View usage analytics reports (see Reviewing and Managing Dashboards and Reviewing and Managing Usage Analytics Explorers)

Analytics viewers
Edit

Add, edit, or delete usage analytics reports (see Managing Usage Analytics Reports)

The Edit access level is ineffective without the Allowed access level on the Administrate privilege (see Administrate Privilege).

  • Administrators

  • Analytics managers

  • Relevance managers

Suggest Queries Privilege

Access level Grantee abilities Typical grantees
Allowed

Allow a process such as a search interface to receive query suggestions from the Coveo Usage Analytics service (see About Usage Analytics Service Query Suggestions)

  • Administrators

  • API keys

View All Reports Privilege

Access level Grantee abilities Typical grantees
Allowed

View all reports, regardless of report accesses (see Managing Usage Analytics Report Access in Reports). Members that do not have this access level can only review the reports they are explicitly allowed to access.

This privilege is especially potent since grantees bypass report permissions and could therefore access sensitive information that they would not be allowed to access otherwise. Administrators should be careful when granting this privilege and are encouraged to review the Coveo Cloud privilege documentation before proceeding.

  • Administrators

  • Analytics managers

Content Service

Extensions Privilege

Access level Grantee abilities Typical grantees
View

View the code and usage statistics of available extensions assigned to sources. This is especially useful when troubleshooting cases such as item indexing issues (see Manage Extensions).

Custom1 View View the code and usage statistics of the specified extensions. This is especially useful when troubleshooting cases such as item indexing issues (see Manage Extensions).  
Edit Add code snippets to apply transformations to included items such as adding or modifying metadata (see Manage Extensions). It is recommended to grant this privilege to developers only.
Edit

Add code snippets to apply transformations to included items such as adding or modifying metadata (see Manage Extensions). It is recommended to grant this privilege to developers only.

  • Administrators

  • Content managers

Note 1: See Custom Access Level.

Fields Privilege

Access level Grantee abilities Typical grantees
View

View fields and field configuration (see Manage Fields )

Users
Edit
  • Administrators

  • API keys

  • Content managers

Security Identities Privilege

The Security identities privilege access levels are ineffective without the View access level on the Security identity providers privilege (see Security Identity Providers Privilege).

Access level Grantee abilities Typical grantees
View
  • View security identity provider update status, statistics, and refresh schedule (see Manage Security Identities)

  • View security identity provider references such as provider IDs and the sources that use each provider (see Review Additional Statistics)

  • View the permissions and effective permissions on Coveo Cloud organization items (see Review Item Properties)

  • View security identities and their status inside each security provider

Edit

Only required by certain API calls (e.g., enable all disabled entities in security cache). Granting it to users or groups does not give them any additional capabilities.

Administrators

Security Identity Providers Privilege

Access level Grantee abilities Typical grantees
View
  • View security identity provider update status, statistics, and refresh schedule (see Manage Security Identities)

  • View security identity provider references such as provider IDs and the sources that use each provider (see Review Additional Statistics)

  • View security identities and their status inside each security provider

Edit

Administrators

Sources Privilege

  • To review source content in the Content Browser, you must have the Allowed access level on the Execute queries privilege (see Inspect Items With the Content Browser and Execute Queries Privilege).

  • When a group has the View access level for some or all sources, the corresponding sources are grayed out in the Sources page (see Manage Sources).

  • Unlike for other resources, the ability to create sources can be granted without the Edit access level. When granting privileges, you can therefore grant a group or API key the View all or Custom access level for sources and check the Can Create checkbox to allow users to create sources.

Access level Grantee abilities Typical grantees
View all

Users

Custom1 View  
Edit  
Edit all
  • Administrators

  • API keys

  • Content managers

Note 1: See Custom Access Level.

Machine Learning Service

Models Privilege

You cannot view and edit Coveo Machine Learning models without the following access levels:

Access level Grantee abilities Typical grantees
View

Review the list of Coveo Machine Learning models inside the organization query pipelines (see Manage Models)

Edit

Add, edit, or delete query pipeline models, and thus optimize search results relevance and search experience in general (see Managing Coveo Machine Learning Automatic Relevance Tuning Models in a Query Pipeline, Managing Coveo Machine Learning Query Suggestions Models in a Query Pipeline, and Managing Coveo Machine Learning Event Recommendations Models in a Query Pipeline)

  • Administrators

  • Relevance managers

Organization Service

API Keys Privilege

  • This privilege is only available when configuring groups, as API keys cannot be granted access rights to view or edit other API keys (see Manage Groups).

  • When members of a group have the View access level for some or all API keys, the corresponding keys are grayed out in the API Keys page (see View and Edit).

Access level Grantee abilities Typical grantees
View all

View in read-only mode the configuration of all API keys (see Manage API Keys).

  • Content managers

  • Relevance managers

Custom1 View

View in read-only mode the configuration of specific API keys (see Manage API Keys).

 
Edit

Edit, delete, activate, and disable specific API keys (see Manage API Keys and Custom Access Levels)

 
Edit all

Add, edit, delete, activate, and disable all API keys (see Manage API Keys and Custom Access Levels)

Administrators

Note 1: See Custom Access Level.

Activities Privilege

Access level Grantee abilities Typical grantees
View

View all organization activities (see Review All Events Related to Coveo Cloud Administration Console Resources)

A member with the View access level could see activities from administration console pages for which they are not granted any access levels.

  • Content managers

  • Relevance managers

Edit

Send custom activities to Coveo Cloud V2 (see Add or Edit a Push Source)

  • Administrators

  • API keys

Elasticsearch Indexes Privilege

This privilege is only available in organizations with an Elasticsearch index (see License).

Access level Grantee abilities Typical grantees
View

 

Edit

Administrators

Groups Privilege

Grant the Edit or Edit all access level for the Groups privilege only to a few people, ideally the authority in your company that manages access rights in corporate systems.

When members of a group have the View access level for some or all groups, the corresponding groups are grayed out in the Groups page (see View and Edit).

Access level Grantee abilities Typical grantees
View all

Analytics managers

Custom1 View

View groups, including their privileges (see Manage Groups)

  • Content managers

  • Relevance managers2

  • Users3

Edit
  • Relevance managers2

  • Users3

Edit all

Administrators

Note 1: See Custom Access Level.

Note 2: By default, members of the Relevance Managers built-in group can edit this group only. This allows them to invite other people in the Relevance Managers group, but not in other groups.

Note 3: By default, members of the Users built-in group can edit this group only. This allows them to invite other people in the Users group, but not in other groups.

Notifications Privilege

Access level Grantee abilities Typical grantees
View

View organization notifications (see Manage Notifications)

 

Edit

Edit and delete organization notifications (see Manage Notifications)

Administrators

On-Premises Organization Privilege

This privilege is required by the Coveo On-Premises Crawling Module API keys only (see Coveo On-Premises Crawling Module and Manage API Keys). Granting it to users or groups does not give them any additional capabilities.

Organization Privilege

Access level Grantee abilities Typical grantees
View

  • Access the Coveo Cloud administration console (see Coveo Cloud V2 Administration Console)

    Without the View access level, an organization member gets the following message when trying to log in to the administration console (see Logging in to Coveo Cloud V2):

    Insufficient Privileges - You currently have insufficient privileges to access the Coveo Cloud administration console of the [OrganizationName] organization. Contact an administrator of the [OrganizationName] organization to change your privileges, or select an organization to which you have access through the Coveo Cloud administration console.

  • View the organization status and license type (see License).

  • Analytics managers

  • Analytics viewers

  • Content managers

  • Relevance managers

  • Users

Edit
  • Edit the organization display name and contact (see Profile)

  • Delete the organization (see Profile)

  • Allow Coveo Professional Services access to the organization (see Profile)

Administrators

SAML Identity Provider Privilege

Access level Grantee abilities Typical grantees
View View SAML single sign-on settings (see Coveo Cloud V2 SAML SSO)  
Edit Configure SAML single sign-on for the organization and edit the single sign-on settings Administrators

Snapshots Privilege

Required to use an upcoming feature. Granting it to users or groups does not give them any additional capabilities yet.

Search Service

Execute Queries Privilege

Access level Grantee abilities Typical grantees
Allowed

For organization members and API keys to send queries and get search results in search pages connected to their Coveo Cloud organization (see Searching with Coveo Cloud).

  • Administrators

  • API keys

  • Content managers

  • Relevance managers

  • Users

Impersonate Privilege

Access level Grantee abilities Typical grantees
Allowed

Obtain a search token for a search interface with secured content to perform queries with the end-user identity and return only results the user is authorized to see.

This privilege is especially potent since grantees can impersonate any user and access in search results the content accessible to this user. Grantees could therefore access sensitive items that they cannot normally access in the original repositories. Administrators should be careful when granting this privilege and are encouraged to review the Coveo Cloud privilege documentation before proceeding.

  • Administrators

  • API keys

Modify Authentication Provider Privilege

Access level Grantee abilities Typical grantees
Allowed

Manage authentication for secured sources such as when they are protected with SharePoint claims-based identities.

  • Administrators

  • API keys

Query Pipelines Privilege

You cannot view and edit Coveo Machine Learning models without the View access level on the Models (requires the Edit access level to manage models), Analytics data, and Dimensions privileges (see Privileges).

Access level Grantee abilities Typical grantees
View  
Edit

Optimize results relevance and search experience in general:

  • Administrators

  • Relevance managers

Salesforce Index Configuration Privilege

Access level Grantee abilities Typical grantees
View

Link a Coveo Cloud organization to a Salesforce organization that uses a Salesforce index.

 

  Administrators
Edit

Search Pages Privilege

Access level Grantee abilities Typical grantees
View

Access the search pages hosted by the Coveo Cloud organizations of which a user is a member

Users

Edit Administrators

View All Content Privilege

Access level Grantee abilities Typical grantees
Allowed

Browse all the content of a Coveo Cloud organization index, and thus be able to troubleshoot search issues (see Inspect Items With the Content Browser).

This privilege is especially potent since grantees bypass the content permissions and could therefore access sensitive items that they cannot normally access in the original repositories. Administrators should be careful when granting this privilege and are encouraged to review the Coveo Cloud privilege documentation before proceeding.

Administrators